Path: utzoo!utgpu!news-server.csri.toronto.edu!clyde.concordia.ca!uunet!auspex!guy
From: guy@auspex.auspex.com (Guy Harris)
Newsgroups: comp.unix.questions
Subject: Re: Suid script security
Message-ID: <3877@auspex.auspex.com>
Date: 11 Aug 90 21:01:33 GMT
References: <14920003@hpdmd48.boi.hp.com> <7285@star.cs.vu.nl>
Organization: Auspex Systems, Santa Clara
Lines: 27


 >Now, what if the name of the very shell script were e.g. "-i"? Wouldn't that
 >give a nice exec?
 >
 >	execl("/bin/sh", "sh", "-i", (char *) 0);
 >
 >So link the script to a file named "-i", and voila!
 >Yes, one needs write permission somewhere on the same device, if one's
 >operating system doesn't support symbolic links.
 >
 >What about the csh command interpreter? Well, 4.2BSD provides us with a csh
 >which has a NEW option: "-b"! Its goal is to avoid just the thing described
 >above:

Whereas the Bourne shell already has an option whose effect is to avoid
the thing just described above - "-".  Yup, just a dash by itself, as in

	#! /bin/sh -

>the mnemonic for `b' is `break';

To quote the C shell source code:

		case 'b':               /* -b   Next arg is input file */
			batch++;

so I don't think the mnemonic was intended to be "break"....